On December 10, the Federal Trade Commission ("FTC") issued the staff report, "Mobile Apps for Kids: Disclosures Still Not Making the Grade." The report describes the results of a recent survey by FTC staff that examined the privacy disclosures and practices associated with 400 mobile applications ("apps") targeted to children. The report follows up on a similar FTC staff report issued in February 2012, which noted that, based on an initial survey of child-focused apps, very few mobile app developers or app stores provide privacy policies, disclosures, or other information that enable parents to determine what data is collected from their children and how that information is used or shared with third parties.

According to the Commission, the latest staff survey reveals that "little or no progress has been made" by the mobile app industry on increasing transparency in the mobile marketplace during the past year. In response, the Commission is urging app developers and app store operators to implement privacy best practices, such as those outlined in the FTC's March 2012 privacy report. In addition, the report notes that FTC staff has launched multiple non-public investigations to determine whether certain entities in the mobile app ecosystem are violating the Children's Online Privacy Protection Act ("COPPA") or engaging in unfair or deceptive practices in violation of Section 5 of the FTC Act.

For these reasons, the recent mobile app report is a good reminder for all participants in the mobile app ecosystem to reassess their role and responsibilities related to mobile apps and corresponding privacy disclosures, data collection, and data sharing to confirm whether existing business practices and compliance efforts match evolving FTC recommendations (and warnings). Taking such proactive efforts may help mitigate the likelihood of being faced with a "surprise" FTC subpoena that includes more demanding information and document requests (and a quick turn-around for a response) seeking to determine whether there has been a law violation of the mobile app developer or the third parties that financially benefit from such practices.

Background

Following the FTC staff's first mobile app survey in early 2012, FTC Chairman Jon Leibowitz encouraged mobile app companies to "step up to the plate" by providing simple and easily accessible privacy disclosure information that would allow parents to make informed decisions about the mobile apps used by their children. The Commission also stated that it would conduct a follow-up survey in six months to evaluate whether industry had addressed the Commission's initial concerns.

The latest report highlights the results of the FTC staff's follow-up survey conducted during the summer of 2012. Similar to the staff's initial app survey, the recent survey involved 400 randomly-selected mobile apps targeted to kids ― 200 from the Apple app store and 200 from the Google Play app store ― covering a range of app categories, including "educational," "game," "memory," and "coloring."

FTC staff evaluated the disclosures that these mobile apps provided on their privacy practices and interactive features, such as links to social media. In addition, the survey also compared each app's disclosures with its actual functions and features to determine whether the apps included interactive features or shared children's information with third parties without disclosing these facts to parents.

The Survey Results

The latest survey results show that, similar to the results of the initial survey, very few mobile apps targeted to children include basic information about the app's privacy practices and interactive features, including the type of data collected, the purpose of the collection, and whether third parties have access to such data. According to the report, "industry appears to have made little or no progress in improving its disclosures" since the previous survey, despite evidence that undisclosed information is occurring on a frequent basis.

A summary of the key results from the survey includes the following:

Privacy disclosures – Only 20 percent of the mobile apps that were reviewed disclosed any privacy-related information prior to the download process, which is an increase of only 4 percent from the staff's initial app survey. Similarly, only 20 percent of the apps provided any type of privacy disclosure after downloading the app, either on the app's promotion page, on the developer website, or within the app. The report also notes that a significant portion of the privacy disclosures that were provided were lengthy, difficult to read, or highly technical, while other disclosures lacked basic details including the specific types of information that the app collects.

Information collection and sharing practices – Fifty-nine percent of the mobile apps transmitted information ― including a device identifier, a user's name, birth date, email/mailing address, phone number, or geolocation data ― from the user's mobile device back to the developer or to a third party. The data most frequently transmitted was the user's device ID. Specifically, 56 percent of the apps transmitted the user's device ID to ad networks, analytics, or other third parties, but only 20 percent of this subset of apps provided privacy disclosures. According to the Commission, this finding is troubling because device IDs are difficult or impossible to change, and they can be used by apps, developers, and other companies to create comprehensive sets of data or "profiles" about specific users.

Disclosure practices regarding interactive app features

In-app advertising: Fifteen percent of the mobile apps disclosed whether they contain advertising, including 6 percent of apps that expressly stated that they do not contain advertising. Yet, according to FTC staff, nearly half of the apps which stated that they did not include advertising actually contained advertising, including ads targeted to a mature audience, such as ads for online dating sites.

In-app purchases: Seventeen percent of the mobile apps reviewed allowed users to make purchases within the app ("in-app purchases"), which represents an almost three-fold increase in the number of apps that allowed in-app purchases in the first staff survey. The report notes that both the Apple and Android operating systems provide users with certain indicators that identify the ability to make in-app purchases; however, according to staff, parents may not recognize these indicators, understand the meaning of the term "in-app purchase," or understand that their children can make frequent and expensive purchases.

Social media: Nine percent of the mobile apps reviewed disclosed that they linked with social media applications such as Facebook, Google+, and Twitter; however, the survey found that this number represented only half of the apps that actually linked to social media sources. The report states that many parents may not want their children to communicate with other users or to post information about themselves, including their location, and that "the presence of social features within an app is therefore highly relevant to parents. . . and should be disclosed prior to download."

FTC Response to the Latest Survey

According to FTC staff, the latest survey indicates "a significant discrepancy between the privacy disclosures and the actual practices of the surveyed apps," which is preventing parents from making informed choices about their children's privacy and exposure to social networks and other interactive features. In response, the Commission is strongly urging entities in the mobile app industry to develop and implement "best practices" to protect privacy, including the following recommendations contained in the March 2012 FTC Privacy Report: (1) incorporate privacy protections into the design of mobile products and services ("privacy by design"); (2) offer parents easy-to-understand choices about an app's data collection and sharing; and (3) provide greater transparency about how data is collected, used, and shared. The Commission is urging developers to implement these steps "expeditiously" to ensure that consumers have confidence in the mobile app marketplace.

The report also reveals that FTC staff has initiated a number of nonpublic investigations to determine whether certain mobile app operators are violating the Children's Online Privacy Protection act ("COPPA"), or engaged in unfair or deceptive trade practices in violation of the FTC Act.

Lastly, FTC staff intends to conduct a third app survey in 2013. According to Chairman Leibowitz, the Commission "expect[s] to see improvement" with respect to the mobile app industry's privacy disclosure practices in light of the recommendations and enforcement initiatives described above.

Conclusion

The FTC staff report is one of several recent developments which indicate that consumer privacy as it relates to mobile apps, particularly those that target children, will remain a key area of focus for federal and state regulators in 2013. On December 11, for example, the Center for Digital Democracy filed a complaint with the FTC alleging that the developer of the mobile app game Mobbles violated COPPA by failing to post a privacy policy despite collecting personal information from children under the age of 13. On December 6, the California Attorney General announced that, as part of its ongoing effort to improve privacy disclosures in mobile apps, it filed a lawsuit against Delta Airlines for failing to post a privacy policy within its Fly Delta mobile app, alleging that the omission is a violation of California's online privacy laws. Additional lawsuits by the Attorney General may be forthcoming. Lastly, the FTC is expected to announce its final update to the COPPA Rule in the coming weeks, and it likely will include specific provisions to address privacy concerns associated with mobile apps targeted to children.

Given these developments, all stakeholders in the mobile app ecosystem should heed the Commission's recommendation to carefully evaluate their existing privacy practices and disclosures and apply the FTC's best practices as appropriate. Entities that implement the FTC's recommendations will be in a better position to defend privacy and data security practices in the event of an enforcement action, as well as quickly adapt to privacy policy changes if and when they occur.

Kelley Drye & Warren LLP

Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.